# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4 PortSystem 1.0 name apple-pki-bundle version 2022-11-12 revision 0 categories net www security license OpenSSL maintainers {ieee.org:s.t.smith @essandess} openmaintainer supported_archs noarch platforms {darwin any} description Apple PKI certificate bundle long_description Installs a bundle of certification authority certificates \ (CA certs) used on Apple devices. homepage https://www.apple.com/certificateauthority/ master_sites https://www.apple.com/appleca:appleca \ https://www.apple.com/certificateauthority:certificateauthority \ https://developer.apple.com/certificationauthority:certificationauthority \ https://geotrust.tbs-certificats.com:geotrust \ https://cacerts.digicert.com:digicert distfiles AppleIncRootCertificate.cer:appleca \ AppleComputerRootCertificate.cer:certificateauthority \ AppleRootCA-G2.cer:certificateauthority \ AppleRootCA-G3.cer:certificateauthority \ AppleISTCA2G1.cer:certificateauthority \ AppleISTCA8G1.cer:certificateauthority \ AppleAAICA.cer:certificateauthority \ AppleAAI2CA.cer:certificateauthority \ AppleAAICAG3.cer:certificateauthority \ AppleApplicationIntegrationCA5G1.cer:certificateauthority \ DevAuthCA.cer:certificateauthority \ DeveloperIDCA.cer:certificateauthority \ AppleSoftwareUpdateCertificationAuthority.cer:certificateauthority \ AppleTimestampCA.cer:certificateauthority \ AppleWWDRCA.cer:certificationauthority \ AppleWWDRCAG2.cer:certificateauthority \ AppleWWDRCAG3.cer:certificateauthority \ AppleWWDRCAG5.cer:certificateauthority \ AppleWWDRCAG6.cer:certificateauthority \ GeoTrust_Global_CA.crt:geotrust \ GeoTrustPCA-G2.crt:digicert # all updates of these certs will be "stealth updates"; # see: https://trac.macports.org/wiki/PortfileRecipes#stealth-updates dist_subdir ${name}/${version} checksums AppleIncRootCertificate.cer \ rmd160 f86e77359a6a61f20fd8eb0deb854ad5a510412a \ sha256 b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024 \ size 1215 \ AppleComputerRootCertificate.cer \ rmd160 fb3672c5e3c74df263e193b8e3df845dd6d33c51 \ sha256 0d83b611b648a1a75eb8558400795375cad92e264ed8e9d7a757c1f5ee2bb22d \ size 1470 \ AppleRootCA-G2.cer \ rmd160 300b620e7c4f611e907ae48aebfa8c1858e55a1c \ sha256 c2b9b042dd57830e7d117dac55ac8ae19407d38e41d88f3215bc3a890444a050 \ size 1430 \ AppleRootCA-G3.cer \ rmd160 4b9f77626fc3b924f105f58c99af71e157c6c2d6 \ sha256 63343abfb89a6a03ebb57e9b3f5fa7be7c4f5c756f3017b3a8c488c3653e9179 \ size 583 \ AppleISTCA2G1.cer \ rmd160 f6c2ce67929e860f399e26309af603a2e8c942f9 \ sha256 b0d40aa5f024f98e7adc0b10f19764f71030cfaf3dcc4ddc6600869499c9baaa \ size 1146 \ AppleISTCA8G1.cer \ rmd160 49d458253b7801341f6280efb5d46338c4688875 \ sha256 63ed1030fe1001060589f4e8ac955768fc0880bcc42be7d906d590e327a57142 \ size 1216 \ AppleAAICA.cer \ rmd160 b4ccf1798244801aa784b7ff0c049c963a20ca29 \ sha256 2528ba7d9348d6cbc83b169b24860ae7a87a6359c0e5274626edfe8f6c04e2b8 \ size 1489 \ AppleAAI2CA.cer \ rmd160 d623a06611224ea258af9aba8e7f90f5a3dc5b50 \ sha256 d3496f4b73cd67aab9f2fcb1d5aa41f8dc457769c455c792b70ddb19e92023d6 \ size 1052 \ AppleAAICAG3.cer \ rmd160 5cf343caf0c2836cb7c374f4489af1925da544cb \ sha256 a64b099dbd73ebb036b4204e1675e8aa821637d09b84980899104ad59d664a3b \ size 754 \ AppleApplicationIntegrationCA5G1.cer \ rmd160 acea444545ee49c6f7bb852e87aa9cee44cc3546 \ sha256 c0d8efbea821079d1b8a98e1198bfcc669331fa7a9c14f09b969f0af08ce4a43 \ size 765 \ DevAuthCA.cer \ rmd160 130856ebc4cc8503fd3bc253b115f1ad50aafd32 \ sha256 341ff0b1753889eb5f36921a7386129f302ce4ff603fabaebf06e01fdb236860 \ size 1051 \ DeveloperIDCA.cer \ rmd160 829a7ac0b3daab8b8ab7c5252599b1491aa9d987 \ sha256 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f \ size 1032 \ AppleSoftwareUpdateCertificationAuthority.cer \ rmd160 969679b4511ae94133497c0014e9a95154336ff0 \ sha256 1299e9bfe776a29ff452f8c4f5e55f3b4dfd2934349dd1850b8274f35c71745c \ size 1136 \ AppleTimestampCA.cer \ rmd160 414a1dc61e313c238adc47f1d8380aa5bb400173 \ sha256 5eb2b6f76a173e6876ccaca696817bf1a0575e8d5f2a81653e1ddf8dafb751fc \ size 1456 \ AppleWWDRCA.cer \ rmd160 56edfda4fc5664a5431c4fef431d60ac43c5e872 \ sha256 ce057691d730f89ca25e916f7335f4c8a15713dcd273a658c024023f8eb809c2 \ size 1062 \ AppleWWDRCAG2.cer \ rmd160 0d4330029e28cb238e264d3bc238d4b1798e9385 \ sha256 9ed4b3b88c6a339cf1387895bda9ca6ea31a6b5ce9edf7511845923b0c8ac94c \ size 763 \ AppleWWDRCAG3.cer \ rmd160 17665bab909900697ee8a9c558b56d986dd8e3e4 \ sha256 dcf21878c77f4198e4b4614f03d696d89c66c66008d4244e1b99161aac91601f \ size 1109 \ AppleWWDRCAG5.cer \ rmd160 b20a437bdd39e2d960a51164badb7124094e083e \ sha256 53fd008278e5a595fe1e908ae9c5e5675f26243264a5a6438c023e3ce2870760 \ size 1113 \ AppleWWDRCAG6.cer \ rmd160 505ae3637933095ddf6cb40aa12bf0b1ded0ab09 \ sha256 bdd4ed6e74691f0c2bfd01be0296197af1379e0418e2d300efa9c3bef642ca30 \ size 794 \ GeoTrust_Global_CA.crt \ rmd160 b481fa4b7532b3d6b353463267df2eafeea8a043 \ sha256 9bde21d1c3414421fc6ff9ae79f1688c0193bc1cd0f1417f9adf0cdbed3b6250 \ size 1236 \ GeoTrustPCA-G2.crt \ rmd160 fc4e5fc888b926cd12871ac9b650cf68b028736e \ sha256 5edb7ac43b82a06a8761e8d7be4979ebf2611f7dd79bf91c1c6b566a219ed766 \ size 690 # non-Apple CAs in the bundle # for f in ${worksrcpath}/*.pem; do openssl x509 -inform pem -text -noout -in ${f}; done | grep 'CN = ' | grep -v Apple set system_roots_keychain \ "${worksrcpath}/macOS System Roots.pem" set system_roots_keychain_default \ "${filespath}/macOS System Roots 20211101.pem" set pki_dir ${prefix}/share/${name} set pki_bundle ${name}.pem set pki_bundle_downloaded ${name}_downloaded.pem variant system_roots_keychain \ description {Use /System/Library/Keychains/SystemRootCertificates.keychain.} { set system_roots_keychain_default \ "${worksrcpath}/macOS System Roots native.pem" } variant additional_pki_bundle \ description {Add PKI bundle used by GitHub assets, possibly others.} { # openssl s_client -showcerts github.githubassets.com:443 | sed -E '1,/^---$/d' | sed '/^---$/,$d' 1> cert.pem # openssl x509 -text -noout -in cert.pem # openssl verify -CAfile trustedCAs.pem cert.pem distfiles-append \ DigiCertHighAssuranceEVRootCA.crt:digicert \ DigiCertSHA2HighAssuranceServerCA.crt:digicert \ DigiCertTLSHybridECCSHA3842020CA1-1.crt:digicert \ DigiCertTLSRSASHA2562020CA1-1.crt:digicert checksums-append \ DigiCertHighAssuranceEVRootCA.crt \ rmd160 96b6f2d9f8e1ad3fa1868b3b9053160ef8b282c8 \ sha256 7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf \ size 969 \ DigiCertSHA2HighAssuranceServerCA.crt \ rmd160 a2f7fc7707f0ff19f19c85070e1ab1e29793793d \ sha256 19400be5b7a31fb733917700789d2f0a2471c0c9d506c0e504c06c16d7cb17c0 \ size 1205 \ DigiCertTLSHybridECCSHA3842020CA1-1.crt \ rmd160 1343b2ded7573c390e5f1405e1044ff5774b5afd \ sha256 f7a9a1b2fd964a3f2670bd668d561fb7c55d3aa9ab8391e7e169702db8a3dbcf \ size 1051 \ DigiCertTLSRSASHA2562020CA1-1.crt \ rmd160 68d5f2b0e1dd6cf8a96d0b4d23a9de5aba203265 \ sha256 52274c57ce4dee3b49db7a7ff708c040f771898b3be88725a86fb4430182fe14 \ size 1218 } default_variants +system_roots_keychain +additional_pki_bundle proc url_to_pem {url pem} { global worksrcpath system -W ${worksrcpath} \ "curl -L ${url} 2>&1 | uu-tac | sed '/^-----BEGIN CERTIFICATE-----$/q' | uu-tac | sed '/^-----END CERTIFICATE-----$/q' > ${pem}" } depends_build-append \ path:libexec/coreutils/libstdbuf.so:coreutils \ port:coreutils-uutils \ port:file \ path:bin/openssl:openssl extract.only extract.mkdir yes post-extract { # https://www.apple.com/certificateauthority/public/ foreach {url pem} { https://valid-aaa-rsa.apple.com/ apsrsa12g1.pem https://valid-aaa-ecc.apple.com/ apsecc12g1.pem https://valid-gr2-rsa.apple.com/ apevsrsa1g1.pem https://valid-har-rsa.apple.com/ apevsrsa2g1.pem https://valid-gr3-ecc.apple.com/ apevsecc1g1.pem } { url_to_pem ${url} ${pem} } xinstall -d ${workpath}/bin \ ${worksrcpath}/pemfiles if { [variant_isset "system_roots_keychain"] } { system -W ${worksrcpath} \ "security find-certificate -a -p \ /System/Library/Keychains/SystemRootCertificates.keychain \ > '${system_roots_keychain_default}'" } xinstall ${system_roots_keychain_default} \ "${system_roots_keychain}" xinstall -m 0755 \ ${filespath}/pems_not_in_pemfile.sh \ ${filespath}/pems_that_wont_expire_soon.sh \ ${filespath}/pems_add_to_macOS_System_Keychain.sh \ ${workpath}/bin } use_configure no build { foreach f [glob ${distpath}/*.{cer,crt,der,pem}] { if { [file isfile ${f}] } { regsub {\.(cer|crt|der|pem)$} [file tail ${f}] .pem pem set file_type [exec /bin/sh -c \ "file ${f} | sed -E 's|^.+: ||' 2>/dev/null || true"] if {[regexp {^(PEM certificate|ASCII text)$} ${file_type}]} { file copy ${f} ${worksrcpath}/pemfiles/${pem} } else { system -W ${worksrcpath}/pemfiles \ "openssl x509 -inform der -outform pem -text -in ${f} -out ${pem}" } } } # cat all pem files to a single file set outfile [open ${worksrcpath}/${pki_bundle_downloaded} w] foreach f [glob ${worksrcpath}/pemfiles/*.pem] { set file_type [exec /bin/sh -c \ "file ${f} | sed -E 's|^.+: ||' 2>/dev/null || true"] if {[regexp {^(PEM certificate|ASCII text)$} ${file_type}]} { set sourcefile [open ${f} r] chan copy ${sourcefile} ${outfile} close ${sourcefile} } else { ui_warn "Not installing ${f} because it is not a PEM file." } } close ${outfile} set outfile [open ${worksrcpath}/${pki_bundle}-temp w] close ${outfile} system -W ${worksrcpath} \ "${workpath}/bin/pems_that_wont_expire_soon.sh \ '${system_roots_keychain}' \ >> ${pki_bundle}-temp" copy ${worksrcpath}/${pki_bundle}-temp ${worksrcpath}/${pki_bundle} system -W ${worksrcpath} \ "${workpath}/bin/pems_not_in_pemfile.sh \ ${pki_bundle_downloaded} ${pki_bundle}-temp \ >> ${pki_bundle}" } destroot { xinstall -d ${destroot}${pki_dir}/bin xinstall ${worksrcpath}/${pki_bundle} ${destroot}${pki_dir} foreach f [glob ${workpath}/bin/*.sh] { xinstall -m 0755 ${f} ${destroot}${pki_dir}/bin } } notes "\ To add trusted certificates to the macOS System Keychain\ (/Library/Keychains/System.keychain), please see the script\ ${pki_dir}/bin/pems_add_to_macOS_System_Keychain.sh,\ and make sure that you have a reliable backup of the keychain\ before running the script. "